MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e123b59da3a2874534711b66e7dc335afabb5b25b600cbd74bdc25d91b7e373a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AteraAgent


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e123b59da3a2874534711b66e7dc335afabb5b25b600cbd74bdc25d91b7e373a
SHA3-384 hash: a50088b74c28cab0df40d217ceb87a7e9e7232662e56ca57360583181242fe05a3345945e8437062273178ac64bdcd74
SHA1 hash: 2ad116cf4ced627fdb82daeaf3f8dc65cea23fa9
MD5 hash: 8c74347ffbdcd154330cc20cb65c5b4c
humanhash: cold-jig-muppet-alaska
File name:SecuriteInfo.com.Program.RemoteAdminNET.1.24134.11104
Download: download sample
Signature AteraAgent
Create hunting rule
File size:2'994'176 bytes
First seen:2025-07-22 05:20:03 UTC
Last seen:2025-07-22 06:25:44 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:7+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:7+lUlz9FKbsodq0YaH7ZPxMb8tT
Threatray 262 similar samples on MalwareBazaar
TLSH T121D5231275C4483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2E705C1AB76B73
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter SecuriteInfoCom
Tags:AteraAgent msi signed

Code Signing Certificate

Organisation:Atera Networks Ltd
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2025-01-23T00:00:00Z
Valid to:2026-01-22T23:59:59Z
Serial number: 09d3cbf84332886ff689b04baf7f768c
Intelligence: 45 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 9e1bec8810871217689196b90d12b43e62df343f2c8d886bf588f9d37a8d8d9a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
25
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16211/
Detection(s):
SecuriteInfo.com.Program.RemoteAdminNET.1.24134.11104.UNOFFICIAL
Create hunting rule

PUA.Win.File.AteraRemoteAdmin-9942568-0
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687f1fbe2f623871a5f1a5a3
Tags:
malware
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand installer lolbin obfuscated rundll32 signed
Link:
https://www.filescan.io/uploads/687f1fab8a7d628a81bb988a/reports/68cee64a-e9d5-405b-8d54-0f611540cb70/overview
Verdict:
Malicious
Labled as:
Unwanted/BIN.RemoteAdmin
Link:
https://www.hybrid-analysis.com/sample/e123b59da3a2874534711b66e7dc335afabb5b25b600cbd74bdc25d91b7e373a
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e123b59da3a2874534711b66e7dc335afabb5b25b600cbd74bdc25d91b7e373a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
18%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/e123b59da3a2874534711b66e7dc335afabb5b25b600cbd74bdc25d91b7e373a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e123b59da3a2874534711b66e7dc335afabb5b25b600cbd74bdc25d91b7e373a/
Threat name:
ByteCode-MSIL.Trojan.Atera
Create hunting rule
Status:
Malicious
First seen:
2025-07-21 22:05:04 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4er3lhndukdukndrdntopxbtll5lwwzfwyamxv2l3qs5sg36g45a._file
Verdict:
malicious
Label(s):
ateraagent
Create hunting rule
Similar samples:
394659c01bd981c3a4d5840fbd624c20e3270c9defc432ff3fe6ddb482b5ad46
AteraAgent
768eaad977f0e47869a05f653895ef1c14b3c83905a91e2b8dc56b718e056de6
AteraAgent
76fd57765b2c5d5a8b939f1eca35633f11d830b2700f828b06c26fb707035156
AteraAgent
819ad25e1dfd53f40ca7d7d176c2a1abf14b16fd5325936c1390ab3001e26af9
AteraAgent
9123db2530da8a858baeb94859fc4da626013fd4617220cb9693c3a9a704d1cf
AteraAgent
a6b86df4bdf042ad8fd4b5662d93b0359bb3e2f747081f7ca31408d5d9e4bda7
AteraAgent
error
AteraAgent
+ 252 additional samples on MalwareBazaar
Result
Malware family:
ateraagent
Create hunting rule
Score:
  10/10
Tags:
family:ateraagent bootkit defense_evasion discovery execution persistence privilege_escalation ransomware rat spyware trojan upx
Link:
https://tria.ge/reports/250722-f1sr7sstex/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Time Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
UPX packed file
Downloads MZ/PE file
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Blocklisted process makes network request
Drops file in Drivers directory
AteraAgent
Ateraagent family
Detects AteraAgent
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d4d31e78-5e91-4b31-9c20-5eeeaf97ac96
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e123b59da3a2874534711b66e7dc335afabb5b25b600cbd74bdc25d91b7e373a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AteraAgent_RemoteAdmin_April_2024
Create hunting rule
Author:NDA0
Description:Detects AteraAgent Remote Admin Tool
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AteraAgent

Microsoft Software Installer (MSI) msi e123b59da3a2874534711b66e7dc335afabb5b25b600cbd74bdc25d91b7e373a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/16211/
  
URLhaus
https://urlhaus.abuse.ch/url/3587765/
  
Delivery method
Distributed via web download

Comments